1. Vol 30 - (Q1/2012) PP 15526/10/2012(031392)Securing Your Software Development Life CycleAnalysis of Vulnerabilities ReportBenefits of ISO/IEC 27005:2011 Information Security Risk ManagementSecurity is, I would say, our top priority because for all the exciting things you will be able to do withcomputers.. organizing your lives, staying in touch with people, being creative.. if we dont solve thesesecurity problems, then people will hold back. Businesses will be afraid to put their critical information on itbecause it will be exposed Bill Gatese-Security | CyberSecurity Malaysia 2012 | Vol: 30 (Q1/2012)

2. ii e-Security | Vol: 30-(Q1/2012) CyberSecurity Malaysia 2012 - All Rights Reserved 3. For the past few years, we have seen the birth to a gamut of new age cyber threats and how they are encroaching more into every sphere our lives and they come in multi-dimensions. In 2011, we have also seen the emergence of social media and mobile devices etc that has complicated the global cyber security landcape which is further worsened by users ignorance, technical incompetency, and lack of strategic cyber security collaboration. We take necessary steps to curb this situation, among others knowledge sharing initiatives via e-Security Bulletin. It is expected that 2012 and beyond will be challenging as cyber crime is consistently becoming sophisticated due to the rapid advancement in technology. In 2011, CyberSecurity Malaysia has received 5,328 online fraud incidents that include various types of Internet scams. That number alone is more than the total number of similar incidents in 2010 and double of those reported in 2009. It is not an exaggeration to say that internet scams i.e. love scams, financial fraud, identity theft etc are fast becoming the crime of choices. For every investigation in the news, there are hundreds that will never make the headline. We learn that criminals can hardly get caught, and even if they do, they can be hardly convicted.As the technology evolves, the risks posed by cyber threats also continue to grow in both scale and sophistication. New techniques andmethods may emerge, and the traditional ones would become obsolete. As such, our attitudes towards cyber security should also evolvedand innovated.The explosion of Internet has also created the phenomenon towards digital hacktivism. 2011 also witnessed hacktivist groups such asAnonymous went rampage, worst than the year before. Indeed, Anonymous is a revolutionary group, and it will be more sophisticatedin the future. Hence our approach towards combating it has to be equally revolutionary.Cyber security requires an innovation or perhaps a fundamental shift in approach towards solving the problems; and we have to act fastto stay ahead. 2012 onward, we need to understand the evolving cyber threats and how they work, and to develop the tools and methodsto combat them. We should create more robust and resilient cyber space that can withstand attacks, and also help detect and preventcyber attacks from occurring. We also need talented people with innovative ideas and commitment from both local and global key cybersecurity players.Until next time, have a prosperous and secure year ahead. Thank you.Thank you and warmest regards,Lt Col Prof Dato Husin Jazri (Retired) CISSP CBCP CEH ISLACEO, CyberSecurity MalaysiaGreetings and welcome to the first edition of eSecurity Bulletin for 2012. Some interesting topics have been lined up in this editionsuch as security in Software Development Life Cycle (SDLC), principles of security and information security risk management.Also, short but important tips on how to secure your iPad is included. Please spend time to read through the articles.I would like also to highlight our CyberSecurity Clinic which started its operation in September last year. Some of the servicesbeing offered are data recovery (for your hard disk, thumb drive, memory card or server), data sanitization and ICT services.Please visit the CyberSecurity Clinic website (www.cybersecurityclinic.my) for further information.Last but not least, I want to take this opportunity to thank all contributors for their valuable knowledge sharing. I look forward formore contributions from the security professionals.Best Regards,Asmuni YusofLt Col Asmuni Yusof (Retired), EditorMyCERT 1st Quarter 2012 Summary Report 01Security Challenges Emerge with IPv6 Launch 15Benefits of ISO/IEC 27005:2011 Information Security04Principles of Security17Risk Management Keep your data safe: Top 4 tips on Securing iPad21Securing Your Software Development Life Cycle08Analysis of Vulnerabilities Report 11PUBLISHED AND DESIGN BY 4. MyCERT 4th Quarter 2011 Summary Report1 Introductionhad increased while other incidents showeda decrease. The MyCERT Quarterly Summary Report provides an overview of activities Figure 1 illustrates incidents received in Q1 carried out by the Malaysian Computer2012 and classified according to the type of Emergency Response Team (hereinafter incidents handled by MyCERT. referred to as MyCERT), a department within CyberSecurity Malaysia. These activities are related to computer security incidents and trends based on security incidents handled by MyCERT. The summary highlight statistics of incidents according to categories handled by MyCERT in Q1 2012, comprising of security advisories and other activities carried out by MyCERT personnel. The statistics provided in this report reflect only the total number of incidents handled by MyCERT and not elements such as monetary value or repercussions of theFigure 1: Breakdown of Incidents by Classification in Q1 2012 incidents. Computer security incidents handled by MyCERT are those thatFigure 2 illustrates incidents received in Q1 occur or originate within the Malaysian constituency. MyCERT works closely with2012 and classified according to the type other local and global entities to resolve of incidents handled by MyCERT as well as computer security incidents. a comparison with the number of incidentsreceived in the previous quarter. Incidents Trends Q1 2012 Quarter Incidents were reported to MyCERT byCategories of IncidentsQ4 Q1Percentage various parties within the constituency 2011 2012 as well as from foreign sources, whichIntrusion Attempt 209 46-77.99 include home users, private sector entities, Denial of Service 1 5400 government agencies, security teams from Spam299 201 -32.77 various countries, foreign CERTs, Special Interest Groups including MyCERTs proactiveFraud 1153 1491 29.31 monitoring on several cyber incidents.Vulnerability Report 11 1645.45 Cyber Harassment105 80-23.80 From January to March 2012, MyCERT, via Content Related11 7 -36.36 its Cyber999 service, handled a total of 3,143 incidents representing a 4.40 percent Malicious Codes 142 189 33.09 decrease compared to Q4 2011. In Q1 2012, Intrusion 1357 1108 -18.34 incidents such as Denial of Service, Fraud,Figure 2: Comparison of Incidents between Q4 2012 and Q1 2012 Vulnerabilities Report and Malicious Codee-Security | Vol: 30-(Q1/2012) CyberSecurity Malaysia 2012 - All Rights Reserved 5. 2Figure 3 shows the percentage of incidentsFigure 4 shows the breakdown of domainshandled according to categories in Q1 defaced in Q4 2011.2012.Figure 4: Percentage of Web Defacement by Domain in Q1 012Account compromise incidents continueFigure 3: Percentage of Incidents in Q1 2012in this quarter as was in the previous onewith an increase of 68 incidents comparedIn Q1 2012, a total of 1,108 incidentsto 57 in Q4 2011. Account compromiseincidents has become a trend nowadayswere received on Intrusion representingin which unscrupulous individuals takean 18.34 percent decrease comparedadvantage of various techniques toto the previous quarter. The Intrusioncompromise legitimate accounts. Theincidents reported to us were mostly webincrease in Internet banking and usagedefacements or known as web vandalism of social networking sites combined withfollowed by account compromises. Basedlack of security awareness had contributedto the increase in account compromiseon our findings, the majority of webincidents. Account compromise incidentsdefacements wereduetovulnerable reported to us involved mostly free basedweb applications or unpatched servers email accounts and social networkinginvolving web servers running on IIS andaccounts. These incidents could have beenApache. prevented if users practised good passwordmanagement such as using strongpasswords and properly safeguarding them.In this quarter, we received a total of 689.MY domains defaced belonging to variousUsers may refer the URL below for goodsectors such as private and governmentpassword management practises:sites hosted on servers belonging to localh t t p : / / w w w. a u s c e r t . o rg . a u / re n d e r.web hosting companies. MyCERT responded html?it=2260http://www.us-cert.gov/cas/tips/ST04-to web defacement incidents by notifying002.htmlthe respective Web Administrators torectify the defaced websites by following Incidents involving fraud had increasedour recommendations.to about 29.31 percent in this quartere-Security | Vol: 30-(Q1/2012) CyberSecurity Malaysia 2012 - All Rights Reserved 6. compared to the previous quarter. Fraudas Adobe PDF Reader and Multiple Microsoft incidents continue to be a trend in this Vulnerabilities. Attackers often compromise3 quarter and is one of the most frequentlyend-users computers byexploiting reported incidents to Cyber999. In fact, vulnerabilities in the users applications. fraud has become a global trend involvingGenerally, the attacker tricks the user into phishing, Nigerian scams, lottery scams,opening a specially crafted file (i.e. a PDF illegal investments and job scams as itdocument) or a web page. provides attractive financial returns to the perpetrators.Readers can visit the following URL on A total of 1,153 incidents were received inadvisories and alerts released by MyCERT: this quarter, from organisations and homehttp://www.mycert.org.my/en/services/ users. Phishing incidents involving foreignadvisories/mycert/2011/main/index. and local brands still prevail in this quarter html. along with other types of frauds. Incidents on job scams also increased targeting otherConclusion industries such as hospitals and specialist centres.In conclusion, the number of computer We continue to receive incidents on cybersecurity incidents reported to us in this harassment in this quarter. However, the quarter had decreased slightly compared number had dropped to about 23.80 percentto the previous quarter. However, several with a total of 80 incidents. Harassment categories of incidents reported to us reports generally involved cyberstalking,continue to increase. The slight decrease cyberbullying, threatening done via emails could be a positive indication that more and social networking sites. A new trend Internet users are aware of current threats we observed in this quarter is luring victimsand are taking proper protection measures into posing nude in front of video camsagainst them. No severe incidents were while chatting with the perpetrators viareported to us in this quarter and we did Skype or MSN Messenger. The captured nude pictures of these victims will then be usednot observe any crisis or outbreak in our to threaten the victims to pay some amount constituencies. Nevertheless, users and of money failing which the pictures will beorganisations must be constantly vigilant of publicly exposed on social networking sites. the latest computer security threats and are We advised users to be very precautiousadvised to always take measures to protect with whom they communicate or chat their systems and networks from these on the Internet especially with unknownthreats. individuals. In Q1 2012, MyCERT had handled 189Internet users and organisations may contact incidents on malicious codes, which represented a 33.09 percentage increaseMyCERT for assistance at the below contact: compared to the previous quarter. A few of the malicious code incidents we handledE-mail: mycert@mycert.org.my were active botnet controllers, hosting of Cyber999 Hotline: 1 300 88 2999 malware or malware configuration files Phone: (603) 8992 6969 on compromised machines and malwareFax: (603) 8945 3442 infections on computers. Phone: 019-266 5850SMS: Type CYBER999 report Advisories and Alerts & SMS to 15888http://www.mycert.org.my/ In Q1 2012, MyCERT had issued a total of ten advisories and alerts for its constituencies Please refer to MyCERTs website for latest involving popular end-user applications such updates of this Quarterly Summary. e-Security | Vol: 30-(Q1/2012) CyberSecurity Malaysia 2012 - All Rights Reserved 7. Benefits of ISO/IEC 27005:2011 InformationSecurity Risk Management 4BY | Noor Aida Idris, Lt Col Asmuni Yusof (Retired)Introductionof confidentiality, integrity, availability)and providing clients, partners andThe increasing numbers of cyber regulators, assurance of compliancesecurity incidents has resulted into an internationally recognised setmanaging information security as one of of information security requirements.the top agendas in many organisations.It is a risk-based approach thatOrganisations have to keep up-to- provides a holistic and structured waydate with information security risksin managing information security forintroduced by new and advancedorganisations.technologies, in addition to their ownreliance with such new technology since Risk management is an importantorganisational information now residesconcept through information securityin a digital world as well as in physical management. Information security riskmediums.management is needed to ensure theconfidentiality, integrity and availabilityInformation security management of information assets is preserved bywas introduced toensure organisations. According to (Humphreys,organisations were able to secure 2008), risk management is the key totheir most valuable information information security governance by anassets, which concerns critical organisation and to the protection of itsbusiness information. By proactivelyinformation assets. If the organisation isprotecting information assets and unaware of the risk(s) it faces, it will notmanaging information security risks,deploy or implement security controls;organisations can reduce the likelihood thus fail to protect its most critical assets.and/or the impact on their informationSeveral guidance are available to assistassets from a wide range of information organisations manage their informationsecurity threats. Today, there are varioussecurity risks, one of it is ISO/IECmechanisms being practised by different 27005:2011 Information Security Riskorganisations in managing information Management. The objective of this papersecurity. Among which is via informationis to convey benefits of implementingsecurity management systems based information security risk managementon ISO/IEC 27001: 2005 Informationbased on ISO/IEC 27005:2011 InformationSecurity Management Systems (ISMS) -Security Risk Management.Requirements.ISO/IEC 27001 is one of the published Introduction to ISO/IECstandards in the ISO 27000 family that27005:2011- Informationprovides the general requirements for Security Risk Managementimplementing informationsecuritymanagement systems. This standard ISO/IEC 27005 contains description ofprovides organisations with means for information security risk managementprotecting their information (in termsprocesses and activities, which providee-Security | Vol: 30-(Q1/2012) CyberSecurity Malaysia 2012 - All Rights Reserved 8. guidelines to organisations to managerisk assessment, information security5 their information security risks. This risk treatment, information security risk standard, which was first introduced acceptance, information security risk in 2005, has been revised recently and communication and consultation and re-published in 2011. The standard is oneinformation security risk monitoring and of the standards which play a significantreview. These five processes are illustrated role for the successful implementation ofin Figure 1. ISMS. Benefits of ISO/IEC 27005 In the authors opinion, there are several key advantages when organisations refer to ISO/IEC 27005 for implementing information security risk management. Firstly, this standard can be used by any type of organisation. Secondly, this standard supports the requirements of information security risk assessment specified in ISO/IEC 27001. And thirdly, this standard, which has been revised to align with three other risk management standards, can be used by organisations that wish to manage their information security risks in similar fashion to the way they manage other risks. This standard is applicable to any type of organisation Figure 1: ISO/IEC 27005 Information Security Risk Management Processes One of the attractions of ISO/IEC 27005 is the risk management processes described in the standard which is The standardsupports risk applicable to all organisations, no matter assessment requirements specified the size or type. As a matter of fact, the in ISO/IEC 27001 information security risk management processes defined by the standard canAnother key benefit offered by the be applied not just to the organisationISO/IEC 27005 standard is that it as a whole, but to any discrete part ofsupports the information security risk the organisation (e.g. a department, assessment requirements specified in a physical location, a business serviceISO/IEC 27001. Thus, organisations or a critical function), any information that wish to be certified against ISO/ system, existing or planned or particularIEC 27001 certification may refer to aspects of control (e.g. businessISO/IEC 27005 when implementing the continuity planning).information security risk assessment. Information security risk management The mapping of clauses in ISO/IEC 27005 described in ISO/IEC 27005 consistswith risk assessment requirements in of five processes which are: context ISO/IEC 27001 is discussed in detail establishment, information securitybelow:e-Security | Vol: 30-(Q1/2012) CyberSecurity Malaysia 2012 - All Rights Reserved 9. a)Clause 7 Context establishmenton the outcome of the risk assessment,In ISO/IEC 27005, the context of riskthe expected cost for implementing 6management for an organisation isthese risk treatment options and theestablished first. In establishing context expected benefits from these options.for risk management, both external The information security risk treatmentand internal context for setting the processes is in line with ISO/IECbasic criteria necessary for information 27001:2005 clause 4.2.1 f) Identify andsecurity risk management, defining the evaluate options for the treatment ofscope and boundaries, and establishing risks.an appropriate organisation operating theinformation security risk management.d) Clause 10 InformationThe context establishment process issecurity risk acceptancein line with ISO/IEC 27001:2005 clause The decision to accept the risks4.2.1 c) Define the risk assessmentand responsibilities for decisionsapproach of the organisation.are made and formally recorded in the information security riskb) Clause 8 Information securityacceptance process. This process is risk assessment important to ensure that the upperThe context establishment processmanagement is aware of the risksis followed by a risk assessment and also on the plans to treat theprocess.There are three subrisks. The information security riskprocesses includedin a riskacceptance process is in line withassessment process which are riskISO/IEC 27001:2005 clause 4.2.1identification, risk analysis andg) Select control objectives andrisk evaluation. Risk assessment controls for the treatment of risksprocess determines the value of theand h) Obtain management approvalinformation assets, identifies the of the proposed residual risks.applicable threats and vulnerabilitiesthat exist (or could exist), identifiese) Clause 11 Information securitythe existing controls and their effectrisk communication andon the risk identified, determinesconsultationthe potential consequences and Theriskcommunication andfinally prioritises the derived risksconsultation process involves activitiesand ranks them against the riskto achieve an agreement on how toevaluation criteria set in the context manage risks by exchanging and/orestablishment. The information sharing information about those riskssecurity risk assessment process between the decision-makers andis in line with ISO/IEC 27001:2005 other stakeholders. The informationclause 4.2.1 d) Identify the risks and securityriskcommunicationande) Analyse and evaluate the risks. consultation process is in line with ISO/IEC 27001:2005 clause 4.2.4c)Clause 9 Information security c) Communicate the actions and risk treatmentimprovements to all interested partiesNext is the risk treatment process. Thewith a level of detail appropriate to theinformation security risk treatmentcircumstances and, as relevant, agreeprocess involves planning to treat on how to proceed.the identified risks. There are 4options available for risk treatment:f)Clause 12 Information securityrisk modification, risk retention, risk risk monitoring and reviewavoidance and risk sharing. Selecting theOn-going monitoring and reviewrisk treatment options should be based ofcurrent informationsecurity e-Security | Vol: 30-(Q1/2012) CyberSecurity Malaysia 2012 - All Rights Reserved 10. 7risks are important because risksinformation security risk management are not static. New threats andand implementing ISMS based on ISO/ vulnerabilities may arise at any point IEC 27001. in time; likelihood or consequences may change abruptly without anyConclusion indication. Thus,constant and continuous monitoring on the risks Information security risk management is necessary to detect these changes.is one of the requirements in ISO/IEC By conducting regular monitoring 27001 ISMS. As stated earlier, ISO/ and review may also ensure thatIEC 27005 is an essential companion the risk management context, the for implementing ISMS based on ISO/ outcome of the risk assessment IEC 27001. The advice and guidance and risk treatment plans remaincontained in the standard is useful relevant to the organisation. Thefor anyorganisationintending information security risk monitoring tomanage their information and review process is in line with security risks effectively. The three ISO/IEC 27001:2005 clause 4.2.3 d) advantages described in this papercan be enjoyed by organisations Review risk assessments at plannedmanaging their information security intervals and review the residualrisks based on ISO/IEC 27005. risks and the identified acceptable levels of risks. Easy alignment with other risk References management standards Another advantage for organisations1. ISO/IEC, Information Technology that choose ISO/IEC 27005 when security techniques information implementing information securitysecurity risk management systems, risk management is that they can ISO/IEC 27005 International Standard, align the way they manage other2011. risks, such as enterprise-wide risks,2. ISO/IEC, Information Technology with information security risks. Thissecurity techniques information security is due to ISO/IEC 27005 being revisedmanagement system Requirements, recently to reflect changes in threeISO/IEC 27001 International Standard, risk management standards which are:2005. ISO 31000:2009 - Risk management3. International Organization for- Principles and Guidelines;Standardization website, www.iso.org, ISO 31010:2009 - Risk managementaccessed on 23 March 2012.- Risk Assessment Techniques; and 4. ISO27001 Security website, www. ISOGuide73:2009 - Riskiso27001security.com, accessed on 23Management Vocabulary.March 2012.5. Humphreys, E. 2008. Information As an example, organisations thatsecurity managementstandards: have adopted ISO 31000 for managingCompliance, governance and risk their enterprise-wide risks may findmanagement, information security that they can manage their information security risks in a similar fashion. technical report 13 (2008) 247255. Thus, lesser time and resources may6. HumphreysE.2010. Information be used when embarking on theSecurity Risk Management Handbook journey of adopting ISO/IEC 27005 forfor ISO/IEC 27001, BSI Standards.e-Security | Vol: 30-(Q1/2012) CyberSecurity Malaysia 2012 - All Rights Reserved 11. Securing Your Software Development LifeCycle 8BY | Norahana Salimin When an organisation(SDLC) comes into the picture asincorporates security inan attractive preventive measure.its SDLC, inevitably it Securing SDLC benefits from productsand applications that are Software Development Life Cycle(SDLC) [2] is a process, modelsecure by design.and methodology of creating ormodifying an information system.Accordingto theInternationalIntroductionInformation Systems SecurityCertification Consortium, Inc. (ISC)Quality software does not really mean [3], secure SDLC phases comprisedof Requirement, Design, Coding,secure software. Building securityTesting, Acceptance, Deployment,into software development is oftenOperations, Maintenanceandseemed as a major pain in the neck. Disposal. Initially, developers mustIn certain cases, security is treated have firm concepts of softwareas an obstacle to the successfulsecurity. With a solid knowledge incompletion of a software project. security concepts, only then can itbe applied to the phases outlinedThats the reason why security isin SDLC. This paper discusses the bestusually considered as the last factor.practices on securing the phases of SDLC.The emergence of worldwide cyber-attacks especially in Malaysia [1], Requirementwhere the attackers were targetingThe requirement phase or securesoftware (mostly web applications)requirement is defined astheused by government agencies, critical outline of security controls and thenational information infrastructure integration of those security controls(CNII) and high profile corporations, into the development process. Policy,raised a pertinent question. Howstandards, patterns and practices (PnP),seriously did the government andexternal regulatory and compliancethe corporate sector viewed security? requirements must be included into thesecurity requirements. Confidentiality,How do they ensure that sensitiveintegrity, availability, authentication,data belonging to ordinary citizens orauthorisation and auditing of datacustomers are not exposed or stolen?must also be included. A way toThere are possibilities that corrective gather these security requirementsactions may have been taken tois by referring to the modellingresolve the situation.However,methodologies of used and misusedwhat about preventive measurescaseswhere understanding theto ensure that lightning does not threats against a system will producestrike twice? This is where securingthe countermeasures to protect thethe software development life cycle system. e-Security | Vol: 30-(Q1/2012) CyberSecurity Malaysia 2012 - All Rights Reserved 12. Design Acceptance Secure concept in the design phase is basicallyThe acceptance phase is secured by9 about structuring the software from a security ensuring that the software in question perspective. Performing a threat modelling meets the necessary requirements before exercise will identify the surface attacks being deployed. In the pre-deployment and security criteria that will be valuable in stage, the completion criteria and risk structuring the software in terms of security. acceptance levels needs to be outlined. Security criteria must be met before a particularSoftware documentation shouldbe software is released for deployment. The in place. In the post-release stage, principles of security design are many. Amongindependent testing, validation and them are those having the least privilege, verification of the said software by third separation of duties, complete mediation,parties such as obtaining a Common defence in depth, fail safe, weakest links, single Criteria certification may be applied. point of failure, etc. The technologies being used to match these designs are identity and Deployment, Operations, Maintenance authentication management, information flowand Disposal control, audit management, data protection,The deployment, operations, maintenance digital rights management, computing anddisposalphaseconcernson environment and integrity management.vulnerabilities that have not been counteredby the software and future vulnerabilities Coding that may be discovered during deployment. Secure coding involves the usage of codingSoftware that is delivered to customers and testing standards, applying securityshould be digitally signed to avoid being testing tools such as fuzzing and static-tampered with. Installation of software analysis code scanning and the review ofshould be securely deployed with the help source codes. Knowing common softwareof an installation manual. Configurations vulnerabilities and countermeasures such asshould be hardened to avoid incorrect injection, cross site scripting, buffer overflowsystem implementations. The secure and broken session management is a mustusage of software or system operations to ensure these vulnerabilities are coveredshould be documented in the operation during coding. Defensive coding practicesmanual. Patch management and support can be applied such as type safe practises, memory management, error handling andmanagement should be implemented to locality. Source code versioning is also gather information from users on errors important to ensure verified codes are not they encountered, as this may be the overwritten by unverified source codes. To source for attackers to launch an attack. ensure codes are not being tampered, digitally signing source codes is now a good practise. When software is to be replaced or retired,several processes need to be in place to Testingensure it is executed in a secure manner. If a Secure testing is conducted when softwarereplacement system exists, the replacement functionalities are complete and ready toshould be operational before retirement enter testing trials. These trials must nottakes place. Approval from the management be ignored. Black box test is focused on is required before any act of removal or testing without knowledge regarding thereplacement is carried out. Only then the design of the software. White box test onsystems access controls are terminated or the other hand is testing with the requiredremoved to prevent unauthorised access. knowledge. Fuzz testing is executed by Finally, the retired system or software services injecting random data to observe the are to be shut down to reduce the attack behaviour of the software while defensivepotential, securely delete configurations coding testing is the examination of and data from the server and eventually common vulnerabilities in the software.uninstalling the system.e-Security | Vol: 30-(Q1/2012) CyberSecurity Malaysia 2012 - All Rights Reserved 13. Initiatives to improve securityit was executed in a secure process. However, the depths of verifying the SDLC processes willon SDLC depend on the evaluation assurance level (EAL) 10For a child, early childhood education such as chosen by the developer for their product. Thepreschool and kindergarten is the best method to benefit of a CC certified product is that thefoster a greater learning development. The samedeveloper will have some level of assurance thatconcept applies with our security environment. their product was properly tested and verified byThe kindergarten for most software developers is a third party on its security features. The otherthe higher learning institutions. These institutions benefit is that the developers potential customerscan play an important role in the initiative to(government agencies or corporations) maysecure product lifecycles. It can be achieved by favour a CC certified product because of a certainemphasising more security aspects in the syllabus to level of confidence in the security functionalities.teach future developers the importance of securityas a whole. Collaboration between the academicworld and security experts from the industry can Conclusionalso speed up the transfer of knowledge since ithas become more familiar with the current trends The initiatives taken by developers to secureand approaches on the how-to methodologies.overall software lifecycle and the extraWith these efforts, our future developers will initiatives taken to promote secure producthave a security-in-mind attitude while developingdevelopment and usage by the governmenttheir software, thus reducing the potential of and higher learning institutions will eventuallydesigning unsecured software.reduce the possibility of a successful attack and exploitation. This will then ensure thatCyberSecurity Malaysia [4], as the national cyberonly hack-resilient software is created. Securingsecurity specialist centre and an agency under the software lifecycles are not an all-in-one solutionpurview of the Ministry of Science, Technology because it also very much depends on theand Innovation (MOSTI) provides ICT security hosts, networks and the people using the stated software. However, at least, security flaws arespecialist services and continuously monitors detected at an early stage and thus, reducethreats to national security. In translating the software vulnerabilities from being exploited.responsibility into implementation, CyberSecurity With all these joint initiatives, we will at leastMalaysia is pioneering the initiative in securinghave some assurance that our informationICT products, regardless of the state of being i.e.and ICT environment are secure from cyber-software, hardware or firmware. Furthermore, attacks.this initiative was established to promote secureproduct development for developers. Theinitiative was implemented by establishing a Referencesproduct evaluation scheme in Malaysia. 1. Malaysia GovernmentWebsitesThe established scheme [5] is now known as Disrupted, http://www.bloomberg.the Malaysian Common Criteria Evaluation and com/news/2011-06-16/malaysia-Certification (MyCC) scheme. The Information government-websites-attacked.htmlSecurity Certification Body (ISCB) and the 2. System Development Life Cycle, Wikipedia, http://Malaysian Security Evaluation Facility (MySEF) en.wikipedia.org/wiki/Systems_Development_were established under CyberSecurity MalaysiaLife_Cycleto execute certification and evaluation processes3. CSSLP Candidate Information Bulletin, Inc., (ISC)separately. The standards [6] that are being portal, https://www.isc2.org/cib/default.aspxused are Common Criteria (CC) and Common 4. CyberSecurity Malaysias Web Portal,Methodology for Information Technology Security http://www.cybersecurity.myEvaluation, which are international standardsthat are widely used for independent security5. Malaysian Common Criteria Evaluationevaluation in ICT products. When a developer and Certification (MyCC) scheme portal,enters into a CC certification, CyberSecurityhttp://www.cybersecurity.my/mycc/Malaysia MySEF will evaluate not only the product6. Common Criteria Web Portal, http://but also the SDLC phases of the product to ensurewww.commoncriteriaportal.org/ e-Security | Vol: 30-(Q1/2012) CyberSecurity Malaysia 2012 - All Rights Reserved 14. Analysis of Vulnerabilities Report11 BY | Sharifah Roziah Binti Mohd KassimIntroduction AnalysisVulnerability is referred to as security Type ofJan Feb Marvulnerability or a flaw in a software orVulnerabilitiesapplication that makes it infeasibleMisconfiguration -2 0 4even when the product is used properly. DisclosureThe presence of vulnerabilities insoftware or application providesWeb 0 4 8opportunity to attackers to exploit System0 1 0it andcompromiseasystem. TOTAL2 512Vulnerabilities reports refer to reports Table 1: Vulnerabilities Report Q1 (Jan - Mar) 2012or incidents regarding vulnerabilitiesthat are present in a system, softwareor application.Vulnerabilities Report is sub classifiedinto the followings: Misconfiguration: A problem exists with certainmisconfigurations which may allow root access or system compromise from anyGraph 1: Vulnerabilities Report Q1 (Jan - Mar) 2012 account on the system and might lead to information leak, dataOut of the 19 incidents, six incidents manipulation and many more. involved misconfigurations, 12 involved Web: User or complainant report websites and one involved system as vulnerabilities which are related toshown in Table 2 and Graph 2 below. websites. System: User or complainant report Type of Vulnerability Total vulnerabilities on any specificMisconfiguration -6 system.DisclosureWeb12Vulnerabilities Reports are basicallyreceived from third parties and verySystem1seldom from the owner of the systems Table 2: Total Incidents on Sub Categories of Vulnerabilitiesor web themselves. Third partiesinclude those from CyberSecurityMalaysia on pro-active monitoringand information received from trustedsources such as from security mailinglists and other Computer EmergencyResponse Teams.Vulnerabilities Reports received mustbe validated first by checking if thereported vulnerability actually exists.Once validated, Incident Handlerswill inform the respective ownersof the vulnerability and providerecommendations for rectification. Table 2: Percentage of Incidents by Sub Categories of Vulnerabilities e-Security | Vol: 30-(Q1/2012) CyberSecurity Malaysia 2012 - All Rights Reserved 15. 12From the graph above we can seethat the majority of vulnerabilitiesincidents involved web with a totalof 63 percent compared to othersub categories. This is followed bymisconfigurations at 32 percent andsystems at 5 percent.Researchers at WhiteHat Security havediscovered that the duration of anaverage site exposed to vulnerabilitiesis about 270 days before they areremediated. The big time gap actuallyGraph 3: Percentage of Incidents on Different Types ofgives more opportunity for attackersVulnerabilitiesto exploit the vulnerable websites.Vulnerabilities in web are mostlydue to vulnerable web applicationsBased on analysis, the most populardue to improper input validation andvulnerability reported is SQL Injectionsanitisation, improper error checkingand handling. vulnerability representing 30 percentcompared to other vulnerabilities.Web Application Developers canThis is followed by Informationfollow general good practises inDisclosure representing 29 percentsecuring their web applications and Cross Site Scripting which iswhere inputs are properly validated at 25 percent. Directory Listing,and sanitised and errors are properlyOpen Redirection, Logic Error andchecked and handled.Improper Data Validation each is atVarious types of vulnerabilities were four percent.discovered based on the incidentsreceived which were SQL Injection,An open redirect is an applicationDirectory Listing, Info Disclosure, that takes a parameter and redirectsImproperDataValidation,Open a user to the parameter value withoutRedirection, Logic Error and Cross Site any validation. This vulnerabilityScripting. The number of incidentsis used in phishing attacks to getreceived on the above vulnerabilities users to visit malicious sites withoutcan be referred at Table 3 and Graphthem realising it. Cross-site scripting3 below.(XSS) is a type of computer securityvulnerability typically found in Web Jan FebMar TOTALapplications (such as web browsersthrough breaches of browser security)SQL Injection257that enables attackers to inject client-Directory Listing1 1side script into web pages viewed byInfo Disclosure1 247other users. SQL injection is an oftenImproper data1 1used technique to attack databasesvalidationthrough a website. This is usuallydone by including portions of SQLOpen11statements in a web form entry fieldRedirectionor GET requests in an attempt to getLogic Error 11the website to pass a newly formedCross Site66rogue SQL command to the databaseScripting (e.g. dump the database contents to Table 3: Figure on Different Types of Vulnerabilitiesthe attacker).e-Security | Vol: 30-(Q1/2012) CyberSecurity Malaysia 2012 - All Rights Reserved 16. 13Administrators may refer to the URLlisting on any folders handled bybelow for recommendation on fixing the web server.SQL Injection vulnerabilities: 2. Information disclosure or data leak which enables anyone to viewh t t p : / / w w w. m y c e r t . o r g . m y / e n / database information belongingresources/web_security/main/main/to the website.detail/573/index.html 3. Email accountpasswordsInformation disclosure enables anbelonging tousers in anattacker to gain valuable informationorganisations had been leaked/about a system. The disclosure disclosed and posted on publiccould be due to unintentionalwebsites such as at pastebin.acts, misconfigurations or due to4. Misconfigurations that allow anyvulnerabilities. user to view file configurations of a system or web.Directory listing is referred to as a web5. Vulnerable websites allows usersserver that is configured to display to change the value of their totalthe list of all files contained in thisamount of payment that haddirectory. This is not recommended been valued/passed by a websitebecause the directory may contain to payment gateways duringfiles that are normally not exposedthrough links on the web site. A payment processes. By right,user can view a list of all files from websites should not allow usersthis directory possibly exposing to modify the value or paymentsensitive information. Logic error isparameters as the value is a fixeda bug in a programme that causes value set by the website.it to operate incorrectly, but not to6. Vulnerabilities found in the webterminate abnormally (or crash). A applications allowingremotelogic error produces an unintended oruserstoviewphpmyadminundesired output or other behaviour, settings.although it may not immediately be 7. Information disclosure byrecognised as such. Improper data government staffs on public/freevalidation is when software does notvalidate input properly, an attacker discussion groups the likes ofis able to craft the input in a form YahooGroup.that is not expected by the rest 8. Cross site scripting is a webof the application. This will lead application vulnerability allowingto parts of the system receiving a remote attacker to trick usersunintended input, which may result in executing malicious scripts viain an altered control flow, arbitrarytheir websites.control of a resource, or arbitrarycode execution.Out of the 19 incidents received on Vulnerabilities Report, a totalCommon incidents related toof 25 websites and systems werevulnerabilities found in Q1reported. Thesewebsites and2012:systems belonged to various sectors1. Directory Listing on web serverranging from government agencies,due to misconfiguration on the financial institutions and privateweb server which allows directoryand educational entities as shown in e-Security | Vol: 30-(Q1/2012) CyberSecurity Malaysia 2012 - All Rights Reserved 17. Table 4 and Graph 4. 14Sectors TOTALGovernment10Banking/Financial Institu- 1tionsPrivate Sector12Educational2Table 4: Figure on total incidents based on SectorsGraph 5: Break of Type of Vulnerability Based on SectorsConclusionIn conclusion,thenumber ofincidents received in this quarteronVulnerabilities Reportwasconsidered low with a total of 19incidents. Though the number wasnot alarming, System Administratorsmust be vigilant on vulnerabilitiesthat may be present in their systemsGraph 4: Total Incidents on Vulnerability Reports basedand applications. The repercussionson Sectorsfrom these vulnerabilities can besevere to the affected organisationsA total of 12 vulnerable websites wereeven due to a small misconfigurationfound to belong to private sector firms,in their systems such as disclosurefollowed by 10 website involvingof sensitive information to the publicgovernment agencies, two websites belonging to the organisation. Theinvolving educational institutions anddisclosed information can be furtherone website involving a banking firm. manipulated by irresponsible partiesfor malicious purposes on the net. AsOut of the figures above, Information such, System Administrators mustDisclosure vulnerabilities were mainlyalways make sure their systems anddetected in the government sector applications are regularly patched/websites which were at four websites, updated and checked/fixed forfollowed by private sector with two any errors or misconfigurations.websites. Banking and educational In addition, they are advised tosector recorded one website eachregularly monitor their logs tothat were vulnerable to Information detect any anomalous activities indisclosure, as can be referred to in Graphtheir systems. 5. SQL Injection and Cross Site Scriptingvulnerabilities were mainly found inwebsites belong to the private sector Referenceswith four websites on SQL Injection andanother four websites on Cross Site 1. h t t p : / / i n f o s e c i s l a n d . c o m /Scripting, followed by the government blogview/12417-Report-Websites-sector with three websites vulnerable toRemain-Vulnerable-to-Attacks.htmlSQL Injection and one website vulnerable2. http://www.mycert.org.myto Cross Site Scripting.3. http://www.sans.orge-Security | Vol: 30-(Q1/2012) CyberSecurity Malaysia 2012 - All Rights Reserved 18. Security Challenges Emerge with IPv615 BY | George Changorganizations and Web leaders suchMost systems that areas Google, Facebook and Yahoo!, not IPv6 enabled haveamong others have made the leap the ability to handle ato the updated Internet protocol, work-around, which isIPv6, in an official worldwidelaunch. Yes, this time, IPv6 is hereto wrap an IPv6 packetto stay. with an IPv4 header. They read the header, but theyA nd the transition has bec om eincreasinglynecessary.T he cannot read the contentscurrent IPv 4 protocol, w hi c hof the packet itself.can handle around 3. 7 bi l l i onaddresses, has simply run outof address space, thanks in p artNo doubt, the global launch of theto the mobile dev ice explo s i on.Internet Protocol, IPv6 on June 6,Meanwhile IPv 6, for all in te nts2012 ushers in a new era in the and purposes, has unlim i t e devolution and widespread adoption address capacity to accommo d ateof Internet infrastructure around a rapidly growing global Inte rne tthe globe. As the successor to theand mobile infrastructure.current Internet Protocol, IPv4,IPv6 is critical to the InternetsHowever, with the launching ofcontinued growth as a platformthe IPv6 protocolworldwide,for innovation and economic researchers and IT professionalsdevelopment.are anticipating some challenges,especially on the security front.The world already has had a smalltaste of what is to come in June of For one, the relative newness andlast year during World IPv6 Day.lack of knowledge around theSpearheaded by the Internet Society,IPv6 protocol will inevitably pavethe effort galvanized more than the way for misconfigurations,1000 Web sites, tech companiescompatibility issues and otherand ISPs to collectively switch toimplementation gaffes. There isIPv6 for a total of 24 hours in annot the institutional knowledgeeffort to test drive the protocol around IPv6 the way there is aroundto predetermine and mitigate anyIPv4, which has been around forpossible glitches that might occurdecades and enjoys an extensiveduring an actual launch.knowledge base.On June 6, 2012, top tech But perhaps the biggest security e-Security | Vol: 30-(Q1/2012) CyberSecurity Malaysia 2012 - All Rights Reserved 19. 16issue isthat manysecuritysecurity devices could be overlookingnetworking devices are equippedcritical pieces of malicious trafficwith capabilities that allow themthat could potentially compromiseto forward IPv6 traffic, but not their network.inspect it. And, because IPv6is enabled by default on manySome of the policies in IPv4platforms in networks today such and technologies you rely uponas Windows 7 IPv6 compliantmay only work in IPv4 andsystems are already installed in not IPv6, which means gapstheir networks.in your security coverage. In t h i s c a s e , h o w e v e r, k n o w i n gMost systems that are not IPv6 is not even half the battle.enabled have the ability toUpgrading networking securityhandle a work-around, whichinfrastructure to accommodateis to wrap an IPv6 packet with IPv6 is no small undertaking anda n I P v 4 h e a d e r. T h e y r e a d t h e will likely take years to be phasedh e a d e r, b u t t h e y c a n n o t r e a d t h e in c o m p l e t e l y. S u b s e q u e n t l y,contents of the packet itself. many organizations,facingThey cannot do their normalpotentially costly andtimedeep packet inspection, and they consuming hardware upgrades,just forward the packet. Onlyare not planning to embrace IPv6when they have a dual stackany time soon.implementation would they beallowed to simultaneously allowYet enterprises cannot shy awaynetwork security functionality tofrom the issue for too long as aboth process and fully inspect lot more IPv6 traffic will hit theirpackets from both the IPv4 and networks after the 6 June launching.IPv6 protocols.When IPv6 is going to be 5 to 10 percent of your data rather thanSeveral vendorshavethisa fraction of a percent upgradefunctionality it not all and thatsavoidance becomes much harderone of the risks facing networkto justify. Enterprises and CIOssecurity professionalstoday. need to start pondering over thePeople have to make sure thatproblem soon. their security product can inspectIPv6 traffic. If it can just forwardIPv6 traffic, it could be forwardingmalicious content. George Chang is Fortinets Regional Director for Southeast Asia & Hong Kong. Fortinet is a leading provider of network security appliancesEven with a dual stack and the worldwide leader in Unified Threat Man-implementation,however, agement or UTM. Fortinet integrates multipleorganizations need to determinelevels of security protection (such as firewall, an-if they have the same feature settivirus, intrusion prevention, VPN, spyware pre-enabled for the IPv4 protocol as vention and antispam) to help customers protectthey do for IPv6. If not, the networkagainst network and content level threats.e-Security | Vol: 30-(Q1/2012) CyberSecurity Malaysia 2012 - All Rights Reserved 20. Principles of Security17 BY | John HopkinsonThe Principles of Security must be be responsible for ensuring that anykept in mind and should underlay actions related to the processing and/all security guidelines and activities.or sanitisation do not serve to degradeThey are particularly important, and or otherwise compromise the integrityshould be used for guidance, whenof the information technology system.the rules (laws, policies, etc.) are The use of information technologyabsent, not clear, or are in conflict. systems are intended to augment humanThe following Principles of Security capabilities, but is not intended todoes not tell you what to do, but they replace, circumvent, or otherwise renderprovide guidance in deciding whatobsolete, the basic concept of individualactions you need to take.accountability.Sensitive InformationLeast PrivilegeAll organisations have information, theAny person, or surrogate informationdisclosure or compromise of which, bytechnology resource or feature, shallwhatever means, may have undesirable only be granted that privilege necessaryconsequences. Ithas long beento perform their assigned task orestablished that structured physical function.protection of sensitive information is anecessity. With the growing dependence Need-To-Knowon information technology, it followsthat structured protection must existAny person shall only be given accesswithin those resources.to a specific information technology resource if such access is required inProven Environment the completion of assigned tasks. Only individuals authorised to access sensitiveUntil proven secure by a responsible information shall be allowed access toauthority, no environment shall be information technology systems:assumed to be secure. The assumptionof security poses a greater threat than that process sensitive informationthe absence of security. For example, it have processed sensitive information incannot be assumed that the complexitiesthe past but have not been appropriatelyof commercially supplied hardware orsanitised.software afford any level of protection.Individual AccountabilitySegregation of ResponsibilityAny person who possesses, or through the Responsibilities must be segregated souse of information technology system(s), that, as far as possible, no one person hasprocesses sensitive information, shall betotal control over a particular resourceresponsible for the safeguarding of that or process. To avoid total control, dualinformation and shall be accountable responsibility should be implementedtherefore. Any person who uses anso that manipulation of that resourceinformation technology system whichcannot be accomplished without theprocesses sensitive information shallknowledge of another person. e-Security | Vol: 30-(Q1/2012) CyberSecurity Malaysia 2012 - All Rights Reserved 21. Security EffectivenessControls18Security is only as good as the knowledge No control, or a combination thereof,and attitude of the people who use it.will ever provide total protection.Acceptance of some measure of risk isWeak Link Syndromeunavoidable. All controls must satisfythe following:Overall security is only as good as theweakest link. These weak links can be The risk that is being addressedexploited by unauthorised parties with must be describedmalicious intent. The risk should be capable of beingMutual Acceptancemonitored for change of magnitudeIf a group of people or an individual The risk should be quantified, so that the magnitude of risk to bewishes to communicate with others, accepted is identifiedthe communication must be acceptableby all parties privy to it. The chain ofcommunication is constantly at risk Risk Acceptanceeven when information is held in trust. Risk acceptance is a valid andan appropriate technique for theLevels of Protectionprovision of cost effective security.The levels of protection must beRisk acceptance may only be used byimplemented gradually so as to be a competent authority, generally thiscommensurate with the sensitivity ofrefers to the Owner.the information processed.Security FailureContinuity of ProtectionIn all cases of security failure, or doubtAll security principles, policies and arising as to the appropriate action thatmechanisms for their implementation inneeds to be taken, the guiding principlesan information technology environment are Default to the Most Secure. Onlymust be invoked at all times unless in exceptional circumstances shall thespecific dispensation has been grantedcompetent authority moderate thisby an appropriate authority. In such aprinciple. A decision to moderate mustcircumstance, a time period must be be confirmed periodically in writing.stipulated.Human FallibilityProtection Implementation Individuals who have been screenedUnless deemedimpossibleor should be able to be trusted. However,unnecessary byanappropriate people are fallible and thereforeauthority, protection features must bemechanisms and services must beimplemented to provide multiple levelsin place to help prevent people fromor rings of security. making mistakes. Mr. Hopkinson has extensive experience in the securityAssurance of Protection field in both the military and commercial sectors. As a re-searcher in information technology security, he focused onAutomatic and/or manual protectionassurance, risk analysis, risk management, and securitytechniques must be employed regularly metrics. He develops strategies with regard to standardsand consortia activities, and action plans to fulfil those strat-to verify that all security mechanismsegies. He assists organizations in developing their securityare invoked and operating properly. strategies and plans to implement those strategies. e-Security | Vol: 30-(Q1/2012) CyberSecurity Malaysia 2012 - All Rights Reserved 22. Keep your data safe: Top 4 tips on Securing19 iPadJust in case you have neverthe information. The l e s sheard of an iPad, it is a tablet information y ou grant, thecomputer from Apple Inc. Its less risky it is.size and weight which fallbetweensmart phonesand Dont jailbreak y our i P ad ,laptop computers make it a unless y ou strictly nee d apopular device nowadays. The jailbroken app or feature . Iflatest model - iPad 3 had been y ou do jailbreak it, be su re t olaunched recently with excitingchange the root password . features and new specifications.If you have already bought thelatest Apple iPad or planningto buy one for yourself soon, Fortinet is a leading provider of networkh e r e i s s o m e g o o d a d v i c e f ro m security appliances and the worldwide leader inAxelleApvrille, F o r t i n e t s Unified Threat Management (UTM). Fortinet inte-SeniorMobile Anti-Virusgrates multiple levels of security protection (suchResearcher:as firewall, antivirus, intrusion prevention, VPN, spyware prevention and antispam) to help cus- I f c o n n e cte d to 3G : kee p an tomers protect against network and contente y e o n yo ur su bscr i ptionlevel threats.b i l l , i n pa r ti cul a r re l atedt o s e n di ng S M S o r I nte rnetu sa g e . Thi s i s wh a t m o b ilem a l w a re u se th e mo st, so ifs o m e t h i ng i s wro ng, checky o u r a pps a n d repo r t anyi s su e t o AV vendo r s a nd/oryouroper a to r.S u spi ci ouss a m p l e s ca n be se nt foranalysis tosu bm i tvi r us@f o r t i n e t.co m . D o n t ha ve yo u r pa sswordss t o re d by the bro wse r. Ra ther,u se a we l l -kno wn/wel l -r atedp a s sw o rd sa f e a ppl i ca ti o n. D o n o t l et a ppl i ca ti o ns usey o u r c ur rent l o ca ti o n o r anyo t h e r pr i va te da ta , u nlessy o u re al l y wa nt the m to use e-Security | Vol: 30-(Q1/2012) CyberSecurity Malaysia 2012 - All Rights Reserved